freeradius and ADSL-Agent-Circuit-Id
Tim Sylvester
tim.sylvester at networkradius.com
Thu Jul 29 01:31:37 CEST 2010
Try the following:
Add this to the top of the Authorize section:
authorize {
if ADSL-Agent-Circuit-Id {
update request {
User-Name := "%{ADSL-Agent-Circuit-Id}"
User-Password := "%{ADSL-Agent-Circuit-Id}"
}
}
Then, add the Circuit-IDs to radcheck:
mysql> select * from radcheck where username = "circuit-123";
+--------+-------------+-----------------------+----+-------------+
| id | username | attribute | op | value |
+--------+-------------+-----------------------+----+-------------+
| 226536 | circuit-123 | ADSL-Agent-Circuit-Id | == | circuit-123 |
| 226537 | circuit-123 | Cleartext-Password | := | circuit-123 |
+--------+-------------+-----------------------+----+-------------+
2 rows in set (0.00 sec)
Then run a test to make sure that when using the Circuit-Id to authenticate
the device, the ADSL-Agent-Circuit-Id must be in the request.
[root at sparky performance]# cat circuit-id.rad
User-Name = "test"
User-Password = "FreeRADIUS"
User-Name = "circuit-123"
User-Password = "circuit-123"
User-Name = ""
ADSL-Agent-Circuit-Id ="circuit-123"
User-Name = "void"
ADSL-Agent-Circuit-Id ="circuit-123"
[root at sparky performance]#
[root at sparky performance]# radclient -f circuit-id.rad localhost auth
FreeRADIUS
Received response ID 81, code 2, length = 20
Received response ID 165, code 3, length = 20
Received response ID 157, code 2, length = 20
Received response ID 119, code 2, length = 20
[root at sparky performance]#
Tim
> -----Original Message-----
> From: freeradius-users-
> bounces+tim.sylvester=networkradius.com at lists.freeradius.org
> [mailto:freeradius-users-
> bounces+tim.sylvester=networkradius.com at lists.freeradius.org] On Behalf
> Of Mike
> Sent: Wednesday, July 28, 2010 3:37 PM
> To: FreeRadius users mailing list
> Subject: Re: freeradius and ADSL-Agent-Circuit-Id
>
>
>
> Johan Meiring wrote:
> > On 2010/07/21 11:00 AM, Alan DeKok wrote:
> >>
> >> authorize {
> >> ...
> >> if (ADSL-Agent-Circuit-Id&& \
> >> ("%{sql: select ...}")) {
> >> update control {
> >> Auth-Type := Accept
> >> }
> >>
> >> }
> >> else {
> >> reject
> >> }
> >>
> >> }
> >>
> >
> > I disagree with the logic slightly.
> > In my opinion it will also be rejected if ADSL-Agent-Circuit-Id does
> > not exist.
> >
> > As fas as I understand, the desireable result is:
> > If the ADSL-Agent-Circuit-Id does *not* exist, normal authentication
> > must happen.
> > If it *does* exist, accept or reject, depending on its value.
> >
> > Would this not work better?
> >
> > authorize {
> > ...
> > if (ADSL-Agent-Circuit-Id) {
> > if ("%{sql: select ...}") {
> > update control {
> > Auth-Type := Accept
> > }
> > }
> > else {
> > reject
> > }
> > }
> > }
> >
> >
> >
> I have been attempting to implement this advice. I can use a 'select
> count(*)' sql query and based on wether the value is 1, I can then set
> Auth-Type := Accept just like it's written above. But, there's
> additional processing that is desireable that I just can't figure out
> how to do here. Instead of just blindly setting Accept, I might want to
> proceed with having the sql module do group processing and so forth to
> finally accumulate all of the reply attributes that apply to this
> request. Maybe that reply is 'Auth-Type := Reject" but then others
> contain 'Accept' along with framed-ip-address and so forth. This would
> involve using a modified sql query in the event that
> ADSL-Agent-Circuit-Id is present, and there doesn't appear to be any
> way
> at run time to make that selection.
>
> I am getting the impression that perhaps I need to run maybe a second
> server that has it's sql configured with queries tailored for the
> presence of this attribute, and then proxy requests from the primary
> server to this one in this case. I could probably run it on lookback on
> another port so that the radius clients don't have to know anything
> about it. Still it's a bit of work but that seems to be the only way
> possible to make sql query one database if the attribute is present,
> and
> query another if it's not (or, use different queries).
>
> Would love more insight if anyone cares to share.
>
> Thank you.
>
>
>
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list